CVE-2024-5987: 
WordPress vulnerability analysis and mitigation

The WP Accessibility Helper (WAH) plugin for WordPress contains a vulnerability (CVE-2024-5987) due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in versions up to and including 0.6.2.8. This security flaw was discovered and reported by Wordfence (Wordfence Advisory).

The vulnerability is classified as CWE-862 (Missing Authorization) and received a CVSS v3.1 base score of 4.3 (MEDIUM) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, while Wordfence assigned a slightly higher score of 5.4 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (NVD Database).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to edit or delete contrast settings in the WordPress installation. This could potentially affect the accessibility features of the website for users who rely on specific contrast settings (NVD Database).

While the issues were patched in version 0.6.2.8, it was noted that the patch broke functionality and the vendor has not responded to follow-up communications. Users should consider updating to version 0.6.2.9 or later, or implementing additional access controls to restrict unauthorized modifications to contrast settings (NVD Database).